What does Secure Development Lifecycle (SDLC) security practices entail?

• A. Conducting security at the end of development only.
• B. Integrating security into software development: threat modeling, secure coding, testing, code reviews, patching.
• C. Relying solely on external audits after deployment.
• D. Ignoring threat modeling to speed up release.

Answer: (B)

Integrating security throughout the software development lifecycle means embedding security thinking into every phase, not saving it for later. This includes threat modeling at the design stage to identify potential attackers and attack paths, secure coding practices to minimize common flaws, thorough testing (including static and dynamic security testing) to uncover vulnerabilities, code reviews to catch issues developers may overlook, and ongoing patching and vulnerability management after release to keep the software protected. When security is built in from the start, risks are addressed sooner, remediation costs are lower, and the product remains safer in production. Approaches that wait until the end of development, rely only on audits after deployment, or skip threat modeling fail to provide proactive risk reduction and ongoing protection.